Snowflake + Steampipe

Snowflake enables data storage, processing, and analytic solutions that are faster, easier to use, and far more flexible than traditional offerings.

Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.

For example, to list inactive users:

select
  name,
  email,
  disabled,
  last_success_login
from
  snowflake_user
where
  (last_success_login > now() - interval '30 days')
  and last_success_login is not null;

+-----------+------------------+----------+--------------+--------------+--------------------+
| name      | email            | disabled | default_role | has_password | has_rsa_public_key |
+-----------+------------------+----------+--------------+--------------+--------------------+
| ROHIT     | rohit@xyz.com    | false    | ACCOUNTADMIN | true         | false              |
| SUMIT     | sumit@xyz.com    | false    | PUBLIC       | true         | true               |
+-----------+------------------+----------+--------------+--------------+--------------------+

Documentation

Table definitions & examples →

Get started

Install

Download and install the latest Snowflake plugin:

steampipe plugin install snowflake

Credentials

The Snowflake plugin supports multiple ways to authenticate:

Password
Key pair authentication
OAuth access token
OAuth refresh token

For all authentication methods, account, user, and region are required.

Password

You can manage your password through the Web Interface or using SQL.

connection "snowflake" {
  plugin   = "snowflake"
  account  = "xy12345"
  region   = "ap-south-1.aws"
  role     = "ACCOUNTADMIN"
  user     = "steampipe"
  password = "~dummy@pass"
}

Key Pair Authentication

To generate your key pair, please see Key Pair Authentication.

connection "snowflake" {
  plugin                   = "snowflake"
  account                  = "xy12345"
  user                     = "steampipe"
  region                   = "ap-south-1.aws"
  role                     = "ACCOUNTADMIN"
  private_key_path         = "/path/to/rsa_key.p8"
}

OAuth Access Token

To create your OAuth access token, please see Configure Snowflake OAuth for Custom Clients.

If using Okta, please see Configure Okta for External OAuth.

connection "snowflake" {
  plugin             = "snowflake"
  account            = "xy12345"
  user               = "steampipe"
  region             = "ap-south-1.aws"
  role               = "ACCOUNTADMIN"
  oauth_access_token = "eyJraWQiOiJLWjN....jwqt1uCG8Z94ZYZp_LK3YhQbWLkWA"
}

Note: Once the access token in oauth_access_token expires, you'll need to request a new one through an external application and update your connnection config.

OAuth Refresh Token

Because OAuth access tokens typically have a short life, e.g., 10 minutes, refresh tokens may be a better authentication method as they will automatically obtain new access tokens once expired.

To request your OAuth refresh token, please see Configure Snowflake OAuth for Custom Clients

If using Okta, please see Configure Okta for External OAuth.

connection "snowflake" {
  plugin              = "snowflake"
  account             = "xy12345"
  user                = "steampipe"
  region              = "ap-south-1.aws"
  role                = "ACCOUNTADMIN"
  oauth_client_id     = "0oa44dah4cudhAkPU5d7"
  oauth_client_secret = "wkQYoty7kCRrBzmkqBbubxK-egaJDJ5gT1BH-4b-"
  oauth_endpoint      = "https://xyz.abc.com/oauth2/auFGTkTZs5d7/v1/token"
  oauth_redirect_url  = "https://xy1234.ap-south-1.aws.snowflakecomputing.com/"
  oauth_refresh_token = "0oa44dah4cudhAkPU5d70oa44dah4cudhAkPU5d7"
}

Configuration

Installing the latest snowflake plugin will create a config file (~/.steampipe/config/snowflake.spc) with a single connection named snowflake:

connection "snowflake" {
  plugin = "snowflake"

  # Snowflake account ID
  # https://docs.snowflake.com/en/user-guide/admin-account-identifier.html#account-identifier-formats-by-cloud-platform-and-region
  # account = "xy12345"

  # Snowflake username
  # user = "steampipe"

  # Snowflake account region ID, defaults to "us-west-2.aws"
  # https://docs.snowflake.com/en/user-guide/admin-account-identifier.html#snowflake-region-ids
  # region = "us-west-2.aws"

  # Specifies the role to use for accessing Snowflake objects in the client session
  # If not specified, the default role for the user will be used
  # role = "ACCOUNTADMIN"

  # Specifies the Snowflake warehouse to use for executing snowflake queries
  # If not specified, the default warehouse for the user will be used
  # warehouse = "COMPUTE_WH"

  # You can connect to Snowflake using one of the following methods:

  # 1. Password
  # The password for your Snowflake Account
  # password = "~dummy@pass"

  # 2. Key pair authentication
  # https://docs.snowflake.com/en/user-guide/key-pair-auth.html
  # private_key_path       = "/path/to/snowflake/rsa_key.p8"
  # private_key_passphrase = "abcde"

  # OR use the private key directly:

  # private_key            = "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFHzBJ....au/BUg==\n-----END ENCRYPTED PRIVATE KEY-----"
  # private_key_passphrase = "abcde"

  # 3. OAuth access token
  # https://docs.snowflake.com/en/user-guide/oauth-custom.html
  # oauth_access_token = "eyJraWQiOiJLWjN....jwqt1uCG8Z94ZYZp_LK3YhQbWLkWA"

  # 4. OAuth refresh token
  # https://developer.okta.com/docs/guides/refresh-tokens/main/
  # oauth_client_id     = "0oa44dah4cudhAkPU5b1"
  # oauth_client_secret = "wkQYoty7kCRrBzmkqBbubxK-egaJDJ5gT1BH-4b-"
  # oauth_endpoint      = "https://xyz.abc.com/oauth2/auFGTkTZs5d7/v1/token"
  # oauth_redirect_url  = "https://xy1234.ap-south-1.aws.snowflakecomputing.com/"
  # oauth_refresh_token = "0oa44dah4cudhAkPU5d70oa44dah4cudhAkPU5e2"
}

Postgres FDW

This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_postgres_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/postgres.sh)" -- snowflake

The installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.

To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.

CREATE EXTENSION IF NOT EXISTS steampipe_postgres_snowflake;
CREATE SERVER steampipe_snowflake FOREIGN DATA WRAPPER steampipe_postgres_snowflake OPTIONS (config '<your_config>');
CREATE SCHEMA snowflake;
IMPORT FOREIGN SCHEMA snowflake FROM SERVER steampipe_snowflake INTO snowflake;

SQLite Extension

This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_sqlite_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/sqlite.sh)" -- snowflake

The installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.

To configure the SQLite extension, load the extension module and then run the steampipe_configure_snowflake function to configure it with plugin-specific options.

$ sqlite3
sqlite> .load ./steampipe_sqlite_extension_snowflake.so
sqlite> select steampipe_configure_snowflake('<your_config>');

Export

This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- snowflake

You can pass the configuration to the command with the --config argument:

steampipe_export_snowflake --config '<your_config>' <table_name>